{"description": "Enterprise techniques used by VOID MANTICORE, ATT&CK group G1055 (v1.0)", "name": "VOID MANTICORE (G1055)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.001", "comment": "During [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors used custom tooling to acquire tokens using `ImpersonateLoggedOnUser/SetThreadToken`.(Citation: Microsoft Albanian Government Attacks September 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has utilized ADRecon to enumerate the active directory environment.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087.003", "comment": "During [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors used compromised Exchange accounts to search mailboxes for administrator accounts.(Citation: CISA Iran Albanian Attacks September 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1098", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has leveraged access to administrative control systems to achieve disruptive effects, consistent with administrative account abuse or privilege escalation within existing access.(Citation: Domain Tools Handala Hack Karma Homeland Justice MOIS April 2026)(Citation: SEC 8K Palo Alto Statement Stryker Corp Handala March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1098.002", "comment": "During [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors added the `ApplicationImpersonation` management role to accounts under their control to impersonate users and take ownership of targeted mailboxes.(Citation: Microsoft Albanian Government Attacks September 2022)\n", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has registered domains for messaging purposes.(Citation: SPECOPS Outpost24 Handala Hack Stryker March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has created typosquatted domains and sub-domains in attempts to avoid detection or draw suspicion.(Citation: DOJ FBI Handala Hack March 2026)(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has also purchased domains leveraging cryptocurrency platforms to include LiteCoin and Ramzinex.(Citation: DOJ FBI Handala Hack March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has registered and rotated domains to support public-facing dissemination infrastructure, replacing disrupted domains with new registrations.(Citation: Domain Tools Handala Hack Karma Homeland Justice MOIS April 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583.003", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has utilized VPS solutions for C2.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583.004", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has leveraged backend servers within Iran.(Citation: DOJ FBI Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583.006", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has obtained access to commercial VPN services to launch malicious activity.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)(Citation: SPECOPS Outpost24 Handala Hack Stryker March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has also leveraged Starlink internet services.(Citation: Check Point VOID MANTICORE Handala Hack March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has used operator-controlled Telegram bots and channels as C2 infrastructure.(Citation: Domain Tools Handala Hack Karma Homeland Justice MOIS April 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1595", "showSubtechniques": true}, {"techniqueID": "T1595.002", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has scanned victim environments for susceptibility to vulnerability exploitation.(Citation: DOJ FBI Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has utilized HTTPS for communication to C2 domains.(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has stored collected data in a password protected compressed file prior to exfiltration.(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1123", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has gathered audio during a Zoom session.(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1119", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) conducted large-scale data exfiltration in the Stryker operation, consistent with automated or scripted collection against enterprise systems.(Citation: Domain Tools Handala Hack Karma Homeland Justice MOIS April 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has created Windows Registry entries to autorun stage two malware payloads to maintain persistence.(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has conducted brute-force attempts against organizational VPN infrastructure.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1110.001", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has conducted password guessing to gain initial access.(Citation: Domain Tools Handala Hack Karma Homeland Justice MOIS April 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110.004", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has utilized credential stuffing attacks to obtain initial access to victim environments.(Citation: Domain Tools Handala Hack Karma Homeland Justice MOIS April 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1651", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has abused built-in remote wipe or factory reset commands to wipe devices managed within an organization\u2019s Cloud management solution impacting laptops, servers, and mobile devices.(Citation: Palo Alto VOID MANTICORE Iran Cyber Threats March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has utilized PowerShell to execute malware in victim environments.(Citation: DOJ FBI Handala Hack March 2026)(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026)\n\nDuring [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors used PowerShell cmdlets New-MailboxSearch and Get-Recipient for discovery.(Citation: CISA Iran Albanian Attacks September 2022)(Citation: Microsoft Albanian Government Attacks September 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "During [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors used Windows batch files for persistence and execution.(Citation: CISA Iran Albanian Attacks September 2022)(Citation: Microsoft Albanian Government Attacks September 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has utilized Python scripts to execute its malicious payloads.(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1485", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has conducted data wiping attacks on compromised systems.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)(Citation: SPECOPS Outpost24 Handala Hack Stryker March 2026)(Citation: DOJ FBI Handala Hack March 2026)(Citation: Palo Alto VOID MANTICORE Iran Cyber Threats March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has also manually deleted files from compromised hosts, to include selecting all files and then deleting them.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)(Citation: DOJ FBI Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1486", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has utilized legitimate disk encryption utilities to increase likelihood of encrypting system drives and reduce system recovery efforts.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)(Citation: DOJ FBI Handala Hack March 2026)\n\nDuring [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors used [ROADSWEEP](https://attack.mitre.org/software/S1150) ransomware to encrypt files on targeted systems.(Citation: Mandiant ROADSWEEP August 2022)(Citation: CISA Iran Albanian Attacks September 2022)(Citation: Microsoft Albanian Government Attacks September 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1213", "showSubtechniques": true}, {"techniqueID": "T1213.002", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has accessed victim\u2019s public facing SharePoint servers and exfiltrated data.(Citation: DOJ FBI Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has collected cached data and files from within the victim environment.(Citation: SPECOPS Outpost24 Handala Hack Stryker March 2026)(Citation: DOJ FBI Handala Hack March 2026)(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has staged compressed files in specified locations prior to exfiltration over C2.(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1587", "showSubtechniques": true}, {"techniqueID": "T1587.001", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has utilized custom-malware and wipers to include BiBi Wiper.(Citation: DOJ FBI Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1686", "showSubtechniques": true}, {"techniqueID": "T1686.003", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has disabled Windows Defender protections to allow for follow-on activities within the compromised host.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1685", "comment": "During [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors modified and disabled components of endpoint detection and response (EDR) solutions including Microsoft Defender Antivirus.(Citation: Microsoft Albanian Government Attacks September 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1685.001", "comment": "During [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors deleted Windows events and application logs.(Citation: Microsoft Albanian Government Attacks September 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1561", "showSubtechniques": true}, {"techniqueID": "T1561.001", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has utilized a disk wiping utility to facilitate destructive actions on victim servers.(Citation: DOJ FBI Handala Hack March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has also utilized legitimate remote disk wiping commands.(Citation: SPECOPS Outpost24 Handala Hack Stryker March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1561.002", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has deployed custom wipers that overwrite system files and the host devices master boot records (MBR) to corrupt or destroy files.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)\n\nDuring [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors used a version of [ZeroCleare](https://attack.mitre.org/software/S1151) to wipe disk drives on targeted hosts.(Citation: CISA Iran Albanian Attacks September 2022)(Citation: Microsoft Albanian Government Attacks September 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1484", "showSubtechniques": true}, {"techniqueID": "T1484.001", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) had utilized Group Policy logon scripts to distribute the malicious payloads to victim devices through the execution of a batch file.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1114", "showSubtechniques": true}, {"techniqueID": "T1114.002", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has gathered victim email-content from victim servers.(Citation: DOJ FBI Handala Hack March 2026)\n\nDuring [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors made multiple HTTP POST requests to the Exchange servers of the victim organization to transfer data.(Citation: CISA Iran Albanian Attacks September 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1585", "showSubtechniques": true}, {"techniqueID": "T1585.001", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has created Telegram Accounts.(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has also leveraged online personas such as Handala Hack, Karma, and Homeland Justice on social media to include Telegram.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)(Citation: SPECOPS Outpost24 Handala Hack Stryker March 2026)(Citation: DOJ FBI Handala Hack March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has established and maintained social media accounts on Twitter/X and Telegram to amplify operational claims and stolen data disclosures.(Citation: Domain Tools Handala Hack Karma Homeland Justice MOIS April 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1585.002", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has created email accounts to send threatening messages to victims to include \u2018Handala_Team[@]outlook[.]com\u2019.(Citation: DOJ FBI Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) malware has exfiltrated collected data via Telegram bot C2 channels using encrypted communications.(Citation: Domain Tools Handala Hack Karma Homeland Justice MOIS April 2026)\n\nDuring [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors used HTTP to transfer data from compromised Exchange servers.(Citation: CISA Iran Albanian Attacks September 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1190", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has exploited public facing vulnerabilities within victim environments to include SharePoint CVE-2019-0604.(Citation: DOJ FBI Handala Hack March 2026)\n\nFor [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors exploited CVE-2019-0604 in Microsoft SharePoint for initial access.(Citation: CISA Iran Albanian Attacks September 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1133", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has leveraged public facing VPN infrastructure to gain initial access to victim environments.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1657", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has conducted data exfiltration and posted stolen information on data leak sites for the purposes of financial and political extortion.(Citation: SPECOPS Outpost24 Handala Hack Stryker March 2026)(Citation: DOJ FBI Handala Hack March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has also sold stolen data to prospective buyers for cryptocurrency.(Citation: DOJ FBI Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1589", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has gathered details on their intended victims to aid in social engineering efforts for leveraging tailored themes of attacks.(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has utilized PowerShell scripts that run without notifying the user of its execution to include `-nop -w hidden- ep bypass -enc`.(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has deployed additional payloads from dedicated C2 servers.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)(Citation: DOJ FBI Handala Hack March 2026)(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has also downloaded legitimate tools and software from publicly available services.(Citation: Check Point VOID MANTICORE Handala Hack March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) had utilized VeraCrypt a legitimate disk encrypting utility that was downloaded directly from the website.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)\n\nDuring [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors used web shells to download files to compromised infrastructure.(Citation: Microsoft Albanian Government Attacks September 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1490", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has deleted virtual machines directly from the virtualization platform.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1570", "comment": "During [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors initiated a process named Mellona.exe to spread the [ROADSWEEP](https://attack.mitre.org/software/S1150) file encryptor and a persistence script to a list of internal machines.(Citation: CISA Iran Albanian Attacks September 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has masqueraded as commonly used programs and services on Windows hosts.(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has masqueraded malicious payloads to resemble legitimate applications.(Citation: DOJ FBI Handala Hack March 2026)(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has leveraged malicious payloads that use nomenclature associated with common applications that include Pictory, KeePass, WhatsApp, and Telegram.(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026)\n\nDuring [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors renamed [ROADSWEEP](https://attack.mitre.org/software/S1150) to GoXML.exe and [ZeroCleare](https://attack.mitre.org/software/S1151) to cl.exe.(Citation: CISA Iran Albanian Attacks September 2022)(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1046", "comment": "During [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors executed the Advanced Port Scanner tool on compromised systems.(Citation: CISA Iran Albanian Attacks September 2022)(Citation: Microsoft Albanian Government Attacks September 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has compressed their payloads by leveraging zip files.(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.001", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has developed or obtained trojanized applications used for persistent surveillance of targeted individuals.(Citation: Domain Tools Handala Hack Karma Homeland Justice MOIS April 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has obtained and utilized commercial VPN services, open-source software and publicly available offensive security tools to facilitate malicious activities.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)\n\nDuring [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors used tools including Advanced Port Scanner, [Mimikatz](https://attack.mitre.org/software/S0002), and [Impacket](https://attack.mitre.org/software/S0357).(Citation: CISA Iran Albanian Attacks September 2022)(Citation: Microsoft Albanian Government Attacks September 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1588.003", "comment": "During [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors used tools with legitimate code signing certificates. (Citation: CISA Iran Albanian Attacks September 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has dumped LSASS credentials using `comsvcs.dll` via `rundll32.exe`.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)\n\nDuring [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors dumped LSASS memory on compromised hosts.(Citation: CISA Iran Albanian Attacks September 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1566", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has emailed victims threatening messages.(Citation: DOJ FBI Handala Hack March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has used phishing as an initial access vector.(Citation: Domain Tools Handala Hack Karma Homeland Justice MOIS April 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1572", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has used tunneling tools to facilitate destructive attacks on compromised devices.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1219", "showSubtechniques": true}, {"techniqueID": "T1219.002", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has installed NetBird on victim devices to create a mesh network that facilitated control of several victim devices at once.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has used RDP to move laterally within the victim environment.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)\n\nDuring [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors primarily used RDP for lateral movement in the victim environment.(Citation: CISA Iran Albanian Attacks September 2022)(Citation: Microsoft Albanian Government Attacks September 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "During [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors used SMB for lateral movement.(Citation: CISA Iran Albanian Attacks September 2022)(Citation: Microsoft Albanian Government Attacks September 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has captured screen content during an active Zoom session.(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1679", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has avoided interacting with specific directories in order to reduce the likelihood of detection.(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.003", "comment": "For [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors used .aspx webshells named pickers.aspx, error4.aspx, and ClientBin.aspx, to maintain persistence.(Citation: CISA Iran Albanian Attacks September 2022)(Citation: Microsoft Albanian Government Attacks September 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1684", "showSubtechniques": true}, {"techniqueID": "T1684.001", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has impersonated individuals familiar to the victim and technical support associated with social messaging services.(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1072", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has leveraged legitimate built-in features of cloud-based management platforms to include mobile device management (MDM) and Remote Monitoring and Management (RMM) solutions.(Citation: SPECOPS Outpost24 Handala Hack Stryker March 2026)(Citation: Palo Alto VOID MANTICORE Iran Cyber Threats March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has also initiated built-in remote wipe instructions using a privileged account within Microsoft Intune.(Citation: SPECOPS Outpost24 Handala Hack Stryker March 2026)(Citation: Palo Alto VOID MANTICORE Iran Cyber Threats March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has gathered system information and disseminated it back to C2.(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1199", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has targeted IT and service providers in an effort to obtain credentials, relying largely on compromised VPN accounts for initial access.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.002", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) had exported credentials from registry hives to include those stored in HKLM.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has delivered malicious payloads that initiate through user execution to include interaction with a masqueraded file.(Citation: DOJ FBI Handala Hack March 2026)(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has used trojanized application lures to induce targets into executing malware enabling persistent surveillance.(Citation: Domain Tools Handala Hack Karma Homeland Justice MOIS April 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has leveraged valid accounts to log into VPN infrastructure.(Citation: Check Point VOID MANTICORE Handala Hack March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has used compromised valid credentials to gain access to management infrastructure and enterprise control systems.(Citation: Domain Tools Handala Hack Karma Homeland Justice MOIS April 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has also validated and tested authentication using compromised credentials prior to malicious actions.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)\n\nDuring [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors used a compromised Exchange account to search mailboxes and create new Exchange accounts.(Citation: CISA Iran Albanian Attacks September 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1078.001", "comment": "During [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors used the built-in administrator account to move laterally using RDP and [Impacket](https://attack.mitre.org/software/S0357).(Citation: Microsoft Albanian Government Attacks September 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1078.002", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has used previously compromised Domain Administrator credentials to maintain persistent access.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078.004", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has leveraged privileged cloud accounts to access cloud-based management consoles to include Microsoft Intune.(Citation: Palo Alto VOID MANTICORE Iran Cyber Threats March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has also compromised existing accounts within the Microsoft Entra ID environment.(Citation: SEC 8-K Stryker Corporation Filing Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1125", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has collected video from compromised victim devices.(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has utilized Telegram API for C2.(Citation: DOJ FBI Handala Hack March 2026)(Citation: FBI IC3 Flash VOID MANTICORE Handala Hack March 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) has utilized WMIC to log into the victim host and create a process `process call create \u201ccmd.exe /c  copy \\\\?\\\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\windows\\system32\\config\\system c:\\users\\public\u201d`.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)\n\nDuring [HomeLand Justice](https://attack.mitre.org/campaigns/C0038), threat actors used WMI to modify Windows Defender settings.(Citation: Microsoft Albanian Government Attacks September 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by VOID MANTICORE", "color": "#66b1ff"}, {"label": "used by a campaign attributed to VOID MANTICORE", "color": "#ff6666"}, {"label": "used by VOID MANTICORE and used by a campaign attributed to VOID MANTICORE", "color": "#ff66f4"}]}